Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • A correctly configured apache web server that is able to serve an HTTPS web site (https://example.com).
  • A SAML Identity Provider (IdP).
  • An account on that IdP.
  • An attribute that can be used as username in Confluence (for example eduPersonPrincipalName). Attributes for full name and e-mail are optional but recommended. In this case we assume 'mail' and 'displayName' can be used.
  • The user name of the to-be administrator account. So, if you choose eduPersonPrincipalName as the attribute for username, you need to know your own value (for instance 'dvisser@surfnet.nl'.

...

Once this script is here, issue "start confluence" to get going, and watch the log file /opt/confluence/log/catalina.out. After some time you should see something like this:

...

By this time you can point your browser to http://example.com:8090, and it should come up with a configuration wizzard that configuration wizard that will ask for a license key, database credentials, a local admin account, etc. Once that is all done, things should be working, but nothing federated yet, only local accounts.

...

  1. Create a new admin account with the correct federated username. For instance, if you have decided on using eduPersonPrincipalName as the username, and the value of that attribute for your federated account is 'dvisser@surfnet.nl', create an account with that exactly that username. Obviously, Confluence username can 
  2. Make sure this newly created account is a member of "confluence-administrators".
  3. Configure the 

...

Code Block
ServerName example.com
 
ProxyRequests Off
<Proxy http://localhost:8090>
        Order deny,allow
        Allow from all
</Proxy>


ProxyPass /mellon/ !
ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/


# Mobile theme does not honour new seraph values for login URL, so we have to redirect that
RewriteEngine on
RewriteCond     %{QUERY_STRING} ^originalUrl=(.*)$      [NC]
Rewriterule     ^/plugins/servlet/mobile/login          /mellon/login?ReturnTo=%1 [R,NE]

<Location />
        MellonEnable "info"
        MellonSecureCookie On
        MellonSessionDump Off
        MellonSamlResponseDump Off
        MellonEndpointPath "/mellon"
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key
        MellonSPCertFile /etc/apache2/mellon/sp.crt
        MellonIdPMetadataFile /etc/apache2/mellon/idp.xml

        # First unset toTo avoid security holes, first unset any existing header
        RequestHeader unset REMOTE_USER
        # Then conditionally set it
        RequestHeader set REMOTE_USER "%{MELLON_usernameeduPersonPrincipalName}e" env=MELLON_usernameeduPersonPrincipalName

        RequestHeader unset FULLNAMECONF_FULL_NAME
        RequestHeader set FULLNAMECONF_FULL_NAME "%{MELLON_fullnamedisplayName}e" env=MELLON_fullnamedisplayName

        RequestHeader unset MAILCONF_EMAIL
        RequestHeader set MAILCONF_EMAIL "%{MELLON_emailmail}e" env=MELLON_emailmail
</Location>

 

By this time, you should be able to download the Service Provider metadata from https://example.com/mellon/metadata, and use it to add it to your IdP, thereby creating a trust relationship. 

And once Once that is done, you should be able to use federated authentication by going to https://example.com/mellon/login?ReturnTo=/%2F

 

 

Confluence - part 2

Now everything is in place to federate Confluence. Make sure that Confluence isn't running any more.

  1. Download the right version of remoteUserAuth.jar from jar (I used 2.2.0) from https://github.com/chauth/confluence_http_authenticator/tree/master/releases, and store it in confluence/WEB-INF/lib
  2. Download https://github.com/chauth/confluence_http_authenticator/blob/master/conf/remoteUserAuthenticator.properties and save it as confluence/WEB-INF/classes/remoteUserAuthenticator.properties. Edit it to suit your needs. The defaults were almost OK, the only thing I needed to change was convert.to.utf8=true.
  3. Edit confluence/WEB-INF/classes/serapth-config.xml and change this section in the beginning: 

    Code Block
    languagehtml/xml
           <init-param>
                <param-name>login.url</param-name>
                <param-value>/login.action?os_destination=${originalurl}</param-value>
            </init-param>
            <init-param>
                <param-name>link.login.url</param-name>
                <param-value>/login.action</param-value>
            </init-param>

    To this: 

    Code Block
    languagehtml/xml
            <init-param>
                <param-name>login.url</param-name>
                <param-value>/mellon/login?ReturnTo=${originalurl}</param-value>
            </init-param>
            <init-param>
                <param-name>link.login.url</param-name>
                <param-value>/mellon/login?ReturnTo=%2Fdashboard.action</param-value>
            </init-param>
    



You should now be able to use federated logins.


 Confluence - mobile theme

The new Confluence feature a dedicated theme for use on mobile devices. This is great, but unfortunately both the login and logout buttons in that theme do not work - they still point to the 'old' static login/logout links.

 Login button

I couldn't find any way to do this in Confluence, so I ended up rewriting it in Apache. See the snippet in the Apache config above.

Logout button
Luckily the logout button can be configured in Confluence, but the configuration file is located inside a Java archive, so it's a little bit of work: